Anyone in the healthcare field is familiar with the Health Insurance Portability and Accountability Act or HIPAA, a federal law created to ensure individual privacy and protect personal health information.1,3 There have been concerns regarding telehealth’s ability to uphold this guarantee of privacy – concerns of increased vulnerabilities. Telehealth involves more than just the patient and provider. The companies who create the equipment, the vendors who work to transmit the data, and others are also held accountable for protection of patient information by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.2,3 While technological advancements alone cannot guarantee protection of personal health information, they can aid in the process with features such as software and network encryption, password protection, etc..1
Often included as a branch of telehealth is mHealth or mobile health where tools such as wearable devices and mobile applications transmit data intended to go to pre-approved parties like a healthcare provider or friends and family. However, there are limitations on the regulation of this information sharing – for example, financers and third party advertisers that sponsor mobile applications can access and use information collected by these devices.2 This information is often disclosed in small, lengthy, legal print that few people read and/or understand.2 The Fair Trade Commission Act and to some extent the Food and Drug Administration (FDA) are responsible for preventing and managing deceptive uses of this information; however, if the patient agrees to the terms and conditions (which we often do without reading just so we can use the product), that protection is somewhat minimized.2
When telecommunication is taking place between two providers or two healthcare settings, networks are HIPAA-compliant making them more secure – privacy can be more easily ensured.2 However, as many states break down the barriers around eligible telehealth sites and use of mHealth equipment becomes more utilized, that same security cannot be as easily ensured on the patient’s end.2 These scenarios make breaching of confidentiality or unauthorized access to protected health information a greater risk.2
As mentioned above, data encryption makes great strides at protecting personal information. “End to end” encryption (meaning from provider to patient and vice versa) ensures that all information is only unencrypted if accessed at either of those two end-points. Data that is accessed between those two end points (i.e. during transmission or storage) is essentially meaningless to the hacker.2
Authentication or other access control mechanisms are also useful tools in controlling who has access to the protected health information.2 Another data protection strategy involves limiting the distribution of telehealth software and devices to in-person visits to verify who is attaining this technology and who it is coming from.2 Requiring a face-to-face initial visit in order to get the telehealth system set-up can be seen as a nuisance to some, and possibly a relief to others.
The very foundation of telehealth is technological innovation. As with all technology, privacy is always a concern. However, the implications of misusing healthcare data carry a heavier weight to many people. Concerns over data security and patient privacy are at the very root of telehealth barriers. Much progress has been made as discussed above, but in no way is the struggle over.
Center for Connected Health Policy (CCHP). (2016). HIPAA. Retreived from http://cchpca.org/hipaa-0.
Hall, J.L. & McGraw, D. (2014). For telehealth to succeed, privacy and security risks must be identified and addressed. Health Affairs, 33(2), 216-221. doi: 10.1377/hlthaff.2013.0997.
Schweitzer, E.J. (2013). Reconciliation of the cloud computing model with US federal electronic health record regulations. Journal of American Medical Informatics Association, 19, 161-165. doi: 10.1136/amiajnl-2011-000162.